From: | Grant <emailgrant@×××××.com> | ||
---|---|---|---|
To: | Gentoo mailing list <gentoo-user@l.g.o> | ||
Subject: | Re: [gentoo-user] {OT} RAM & apache MaxClients (rock & a hard place) | ||
Date: | Mon, 11 Mar 2013 04:40:30 | ||
Message-Id: | CAN0CFw1h0s12i3OROMCVkaAU9_GqpbtjFsPjWjCxZPGha3Y9yQ@mail.gmail.com | ||
In Reply to: | Re: [gentoo-user] {OT} RAM & apache MaxClients (rock & a hard place) by Nilesh Govindrajan |
1 | >> You guys were so right. What an excellent http server/proxy. I used |
2 | >> this very simple howto: |
3 | >> |
4 | >> http://kbeezie.com/apache-with-nginx/ |
5 | >> |
6 | >> I can probably dump a lot of apache config. I still need SSL on both |
7 | >> servers even though only nginx faces the user? |
8 | >> |
9 | >> For imap proxy, nginx requires an HTTP auth server and I can't figure |
10 | >> out what that refers to. I can stick with imapproxy there. |
11 | > |
12 | > You don't need SSL at both. Only nginx is enough. |
13 | > But to ensure nginx performs well at SSL, follow this - http://matt.io/entry/ur |
14 | |
15 | Check out this post: |
16 | |
17 | http://www.hybridforge.com/blog/nginx-ssl-ciphers-and-pci-compliance |
18 | |
19 | They show you how to disable the slow DHE ciphers and also how to make |
20 | nginx immune to the BEAST SSL vulnerability: |
21 | |
22 | ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH; |
23 | ssl_prefer_server_ciphers on; |
24 | |
25 | They also mention this for PCI compliance (which disables SSLv2): |
26 | |
27 | ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
28 | |
29 | but that seems to be the current default in nginx: |
30 | |
31 | http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols |
32 | |
33 | - Grant |